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Senator Craig J. Zucker, Senate Chair, Joint Audit and Evaluation Committee 
Delegate Shelly L. Hettleman, House Chair, Joint Audit and Evaluation Committee 
Members of Joint Audit and Evaluation Committee 
Annapolis, Maryland 

Ladies and Gentlemen: 

We have conducted a fiscal compliance audit of the Maryland State Department 
of Education (MSDE) for the period beginning July 1, 2014 and ending December 
31,2017. MSDE is responsible for setting statewide goals for school 
performance, monitoring school achievement, distributing financial aid, and 
providing technical assistance to local school and library systems. MSDE also 
operates educational programs in the State’s juvenile facilities, provides services 
to people with disabilities, and oversees child care programs and family support 
centers in the State. 

Our audit disclosed that MSDE’s Division of Rehabilitation Services (DORS) did 
not always make initial contacts with consumers and prepare individual plans for 
employment (IPE) timely. Specifically, for a number of consumer cases tested, 
DORS did not comply with certain timing requirements (such as completing an 
IPE within 90 days of the eligibility determination) established by its policy. 
Furthermore, DORS did not have adequate controls in place to prevent payments 
for consumer services from exceeding amounts approved in the IPEs. Based on 
DORS expenditure data as of January 2018, cumulative payments for 
approximately 2,600 of the 12,500 active consumers exceeded approved amounts 
by $10.9 million. Ensuring all services received are reflected in approved plans 
would provide DORS with added control over the related costs and would provide 
a better opportunity to address the number of applicants currently placed on a wait 
list. 

In addition, federal fund reimbursement requests for the Nutrition Block Grant 
were not always complete and timely, resulting in lost investment income totaling 
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approximately $300,000. For example, MSDE erroneously omitted $92 million 
in qualified expenses over a three-month period and, although the error was 
subsequently resolved, the failure to recover these funds timely resulted in lost 
investment income. 

We also noted a number of deficiencies with MSDE’s security and control over 
its information systems and network. For example, MSDE inappropriately stored 
certain sensitive personally identifiable information for 1,430,490 students and 
233,130 teachers in its databases and applications without adequate safeguards. 

In addition, MSDE lacked assurance that certain critical applications and systems 
managed by service providers were sufficiently protected against operational and 
security risks. Further, MSDE did not have a complete information technology 
disaster recovery plan. We also noted that malware protection was not sufficient 
to provide assurance that its computers were protected. Specifically, we found 
certain servers running on outdated and no longer supported operating systems 
and a number of computers had not been updated with the latest releases for 
software products that were known to have significant security-related 
vulnerabilities. 

Our audit also disclosed other findings involving accounting for and controlling 
certain State-funded grants and collections. 

Finally, our audit included a review to determine the status of 9 of the 11 findings 
contained in our preceding audit report. We determined that MSDE satisfactorily 
addressed 7 of these findings. The remaining 2 findings are repeated in this 
report. Our audit did not include a review of the status of the 2 findings contained 
in our preceding audit report that related to Child Care Programs; the status of 
these findings was determined during our separate audit of the MSDE’s Division 
of Early Childhood. 

MSDE’s response to this audit is included as an appendix to this report. We 
reviewed the response and noted general agreement to our findings and related 
recommendations, and we will advise the Joint Audit Committee of any 
outstanding issues that we cannot resolve with MSDE. 
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We wish to acknowledge the cooperation extended to us during the audit by 
MSDE and its willingness to address the audit issues and implement appropriate 
corrective actions. 


Respectfully submitted, 



Gregory A. Hook, CPA 
Legislative Auditor 
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Background Information 


Agency Responsibilities 

The Maryland State Department of Education (MSDE), as the staff agency of the 
State Board of Education, supports the development and operation of educational 
and library programs throughout the State. MSDE is responsible for setting 
Statewide goals for school performance, monitoring school achievement, 
distributing financial aid, and providing technical assistance to local school and 
library systems. MSDE also operates educational programs in the State’s juvenile 
services facilities, and provides services to people with disabilities through its 
Division of Rehabilitation Services. According to the State’s records, during 
fiscal year 2017, MSDE’s operating expenditures totaled approximately $7.7 
billion, which included $7.4 billion in grant-related expenditures that are 
primarily awarded to local education agencies. 

MSDE’s Division of Early Childhood (previously named the Division of Early 
Childhood Development), which oversees child care programs and family support 
centers in the State, was audited separately. Activities of the Division of Early 
Childhood were included in the scope of our preceding audit of MSDE. 

Maryland State Library Agency 

Chapter 338, Eaws of Maryland 2017, effective July 1, 2017, established the 
Maryland State Eibrary Agency and the Maryland State Eibrary Board. This law 
also abolished the Division of Eibrary Development Services within MSDE, and 
transferred the related duties and responsibilities of the Division to the newly 
established Agency and Board. The scope of our audit included all activities of 
the Division of Eibrary Development Services prior to July 1, 2017. Activities of 
the Maryland State Eibrary Agency and Board will be audited separately. 

Status of Findings From Preceding Audit Report 

Our audit included a review to determine the status of 9 of the 11 findings 
contained in our preceding audit report dated June 22, 2016. We determined that 
MSDE satisfactorily addressed 7 of these findings. The remaining 2 findings are 
repeated in this report as findings 4 and 6. Our audit did not include a review of 
the status of the 2 findings contained in our preceding audit report that related to 
Child Care Programs; the status of these findings was determined during our 
separate audit of the Division of Early Childhood. The status of all preceding 
findings can be found in the following table. 
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Status of Preceding Findings 

Preceding 

Finding 

Finding Description 

Implementation 

Status 

Finding 1 

Statewide indireet eost reeoveries totaling $12.3 million 
were not reverted to the general fund as required by State 
law. 

Not repeated 

Finding 2 

MSDE did not reeover federal expenditures in a timely 
manner, resulting in lost interest ineome of $140,000. 

Not repeated 

Finding 3 

MSDE improperly used interageney agreements with a 

State university to staff its Chief Information Offieer 
position, and the agreements laeked details to faeilitate 
effeetive monitoring. 

Not repeated 

Finding 4 

State regulations for proeuring serviees were not always 
adhered to and the proeedures for monitoring eontraetor 
performanee were not suffieient. 

Not repeated 

Finding 5 

Certain eolleetions were not promptly endorsed and 
reeorded, and prenumbered reeeipt forms were not 
aeeounted for. 

Not repeated 

Finding 6 

MSDE did not ensure eriminal baekground eheeks were 
obtained for all ehild eare faeility employees and the results 
of sueh eheeks indieating neeessary follow-up were not 
always pursued. 

Ineluded in our 
separate audit of the 
Division of Early 
Childhood 

Finding 7 

User aeeess to the Child Care Administration Traeking 
System was not adequately restrieted to only those 
individuals requiring aeeess to perform their jobs and to 
prevent the reeording of improper transaetions. 

Ineluded in our 
separale audil of the 
Division of Early 
Childhood 

Finding 8 

Contraetors had unneeessary network level aeeess to 
numerous eritieal MSDE servers and workstations unrelated 
to the projeet they were assigned. 

Not repeated 

Finding 9 

MSDE did not properly safeguard sensitive personally 
identifiable information and malware proteetion over 

MSDE workstations eould be inappropriately disabled. 

Repeated 

(Current Finding 4) 

Finding 10 

Disaster reeovery plans for two loeations were not 
eomprehensive and baekups of eertain eritieal databases 
were not stored offsite. 

Repeated 

(Current Finding 6) 

Finding 11 

MSDE did not make timely diselosure to the appropriate 
legal authorities of eertain questionable payroll and 
personnel aetivity related to five employees. 

Not repeated 
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Findings and Recommendations 


Division of Rehabilitative Services 

Background 

The Maryland State Department of Education’s (MSDE) Division of 
Rehabilitation Services (DORS) helps enable persons with physical or mental 
disabilities to live and work independently by providing medical and vocational 
evaluation, counseling and guidance, and training in vocations and independent¬ 
living skills. DORS also provides reader and interpreter services, physical and 
mental restoration, and rehabilitation engineering to help persons with disabilities 
find and keep jobs. 


Finding 1 

MSDE’s DORS did not always make initial consumer contacts and complete 
individual plans for employment (IPEs) timely. In addition, we determined 
that, as of January 2018, DORS paid $10,9 million more for consumer 
services than budgeted in the approved IPEs for 2,600 consumers. 


Analysis 

DORS did not always make initial consumer contacts and complete IPEs timely, 
in accordance with its established policies, and certain documentation deficiencies 
were noted with consumer eligibility determinations and IPEs. In addition, 

DORS did not adequately control consumer payments. Based on DORS 
expenditure data as of January 2018, we determined that cumulative expenditures 
for approximately 2,600 active consumers exceeded the amounts in the approved 
IPEs by more than $10.9 million during the consumers’ enrollment in the 
program. According to State records, during fiscal year 2017 DORS expenditures 
for consumer-related services totaled approximately $69.3 million, including 
$51.9 million in federal fund expenditures. 

Applicants seeking services from DORS are placed in one of three categories 
based on their level of disability during their eligibility determination. 

• Individuals determined to be the most significantly disabled are to be provided 
services by DORS immediately after preparation of the related IPE. 

• Individuals with less significant disabilities are initially placed on a wait list 
for DORS services. 

• Individuals with non-severe disabilities are referred to other public and private 
entities for employment assistance resources. Because of limited DORS 
funding, these services are paid for by the other entities. 
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Consumer Contact, Eligibility Determination, and IPE Issues Existed 
DORS did not always make consumer contacts and/or complete IPEs timely, If 
DORS’ processes are not completed timely, the delivery of services to qualified 
consumers could be delayed. Additionally, certain documentation and approval 
deficiencies were noted related to eligibility determinations and IPEs. DORS 
caseworkers create an IPE for each consumer approved for services that outlines 
the services to be provided and an estimate of the related costs. DORS policies 
require all initial IPEs and any subsequent modifications receive supervisory 
review and approval. Our test of 20 consumer cases with related service 
expenditures paid by DORS totaling approximately $1.4 million disclosed the 
following deficiencies. 

• Eight individuals who had been referred to DORS for services from other 
entities (such as from the Maryland Department of Health) were not contacted 
by DORS within 10 working days of receipt of the referral, as required by its 
policies. Delays between the referral and initial contact with the eight 
individuals ranged from 12 to 77 days beyond the 10 days required by policy. 
This initial contact provides guidance to consumers regarding the application 
and eligibility processes. 

• Two eligibility determinations were processed and approved by the same 
individual and, therefore, were not subject to independent review. In addition, 
2 IPEs were not signed by the consumers until the consumers had received 
services for seven or eight months and, finally, DORS could not locate one of 
the 20 IPEs selected for testing. 

• Six IPEs were not completed within 90 days of the eligibility determinations 
in accordance with DORS policies. Delays for these 6 IPEs ranged from 22 to 
474 days beyond the 90-day requirement. 

Consumer Payments Exceeded Approved Amounts 

DORS did not have adequate controls in place to prevent payments for consumer 
services that exceeded the amounts approved in the related IPEs. DORS 
caseworkers routinely authorized payments for consumer services that exceeded 
the amounts approved in the IPEs without modifying the IPEs and obtaining 
supervisory approval as required. Specifically, DORS policies require all IPEs 
and related authorizations for services to be approved based on various criteria 
that consider the associated costs of services. The approved IPEs are entered into 
MSDE’s automated system, which then tracks related expenditures by consumer. 
Based on DORS expenditure data from the automated system as of January 2018, 
cumulative expenditures for approximately 2,600 of the 12,500 active consumers 
($23.1 million) exceeded the amounts in the approved IPEs ($12.2 million) by 
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approximately $10.9 million, representing an excess of 89 percent over the 
approved amounts for these IPEs. 

Payments in excess of amounts approved are particularly significant because if 
the related services were found to be unnecessary or excessive, the funds 
potentially could have been used to provide services to individuals who had been 
placed on the DORS wait list. Certain applicants are placed on a wait list instead 
of immediately receiving services because of mandatory federal funding levels for 
specific services and limited DORS staff According to DORS, as of November 
2018, there were approximately 2,600 individuals on the wait list, with a typical 
wait time of up to 32 months. 

Recommendation 1 
We recommend that MSDE 

a. ensure consumer contacts and IPEs are made timely, eligibility 
determinations are independently approved, and IPEs are appropriately 
documented in accordance with DORS policies; and 

b. establish controls to ensure that payments do not exceed approved 
consumer IPEs and that any modifications are documented and approved 
as required. 


Federal Funds 


Finding 2 

Federal fund reimbursement requests for the Nutrition Block Grant were not 
always complete and timely, resulting in lost investment income totaling 
approximately $300,000, 


Analysis 

Federal fund reimbursement requests for the Nutrition Block Grant were not 
always complete and were not always made timely, resulting in lost investment 
income of approximately $300,000. During fiscal year 2017, MSDE processed 
federal fund reimbursement requests totaling approximately $1 billion, including 
$322.7 million for the Nutrition Block Grant. 

• MSDE erroneously omitted $92 million in qualified expenditures when 
processing the November 2017, December 2017, and January 2018 monthly 
reimbursement requests. These expenditures were not included in the 
reimbursement requests because the expenditure reports supporting the 
requests improperly excluded certain expenditures due to a coding error. 
MSDE identified and resolved the error in March 2018, and subsequently 
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recovered the funds. The failure to recover these expenditures in the 
appropriate monthly request resulted in lost investment income to the State of 
approximately $232,000. 

• MSDE did not always submit federal reimbursement requests in a timely 
manner. We tested 10 reimbursement requests submitted during the period 
between December 2014 and November 2017, totaling approximately $440.9 
million, and noted that 4 requests totaling approximately $129.4 million were 
recovered between 7 and 33 days after the dates allowed by the grant 
agreements. As a result, MSDE lost investment income totaling 
approximately $73,500. In addition, we reviewed MSDE’s federal fund 
recoveries for grant years 2015 through 2017 and noted that approximately 
$152,000 in expenditures incurred during that period had not been recovered 
as of June 2018. According to MSDE management, these funds are still 
available and MSDE plans to seek recovery of the funds in the near future. 

Although reimbursement requests were reviewed by supervisory personnel, the 
reviews generally presumed the accuracy of the underlying expenditure reports, 
and did not ensure that comprehensive reimbursement requests were processed 
and subsequent recoveries were received in a timely manner. 

Recommendation 2 
We recommend that MSDE 

a, enhance its supervisory review process for federal fund reimhursement 
requests to ensure all allowable expenditures are included and requests 
are submitted timely, in accordance with the applicable grant 
agreements; and 

b. take appropriate action to recover the aforementioned $152,000 in 
expenditures that have not yet been recovered. 


State-Funded Grants 


Finding 3 

MSDE did not verify the accuracy of grantee expenditure data and 
performance reports, and did not conduct comprehensive site visits of 
grantees. 


Analysis 

MSDE did not verify the accuracy of expenditure and performance data reported 
by grantees, and did not conduct comprehensive site visits of grantees. According 
to its records, during fiscal year 2017, MSDE administered 28 State-funded grants 
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with expenditures totaling $121.5 million.^ We performed a detailed review of 
three State-funded grants with expenditures totaling $21.2 million in fiseal year 
2017. These grants, administered by three different MSDE divisions, were made 
to a non-profit edueational institution to provide serviees to Maryland publie 
sehool ehildren, to a sehool for disadvantaged at-risk youth, and to a loeal 
government for a home visiting program that promotes health and development of 
families. Our review diselosed the following eonditions: 

• MSDE did not verify the aeeuraey of expenditure and performanee data 
reported by any of the three grantees tested. Grantees were required to submit 
periodie expenditure and performanee reports (sueh as, reports of enrollment 
and graduation rates); however, MSDE did not obtain doeumentation from the 
grantees to substantiate the self-reported data. These data are eritieal for 
ensuring the propriety of the grant expenditures and grantee eomplianee with 
grant performanee requirements. The grant agreements authorize MSDE to 
inspeet, audit, and examine grantee reeords. 

• Eor the three grants reviewed, grantee site visits were not always doeumented, 
eomprehensive, and timely. While not speoifieally required by the grant 
agreements, site visits help ensure that grant funds are being used as intended 
and that grantees are maintaining appropriate reeords. Eor example, site visits 
to the sehool for disadvantaged at-risk youth that reeeived $10.3 million in 
State funds during fiseal year 2017 did not inelude a review of proeedures 
over student enrollment and ineident reporting. Eor another grant to loeal 
governments for $4.6 million, MSDE relied on a third party to perform 
monthly site visits, but did not eonfirm the site visits aetually oeeurred. We 
subsequently obtained doeumentation of the site visits direetly from the third- 
party entity and noted that the visits were appropriately eomprehensive. 

These eonditions were eaused, in part, by the laek of eomprehensive grant polieies 
and proeedures to be used by the respeetive MSDE divisions that administered 
these grants. As a result, assuranee was laeking that required serviees were 
provided and grant funds were used in aeeordanee with the related grant 
agreements. 


' These expenditures exclude grants for which there were no specific grant deliverables, such as 
the Bridge to Excellence grants to local education agencies. 
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Recommendation 3 

We recommend that MSDE establish comprehensive grant policies and 
procedures that include uniform minimum requirements to 

a. verify the accuracy of the grantee’s self-reported expenditure and 
performance data, and 

b, ensure site visits are documented and comprehensive. 


Information Systems Security and Control 

Background 

MSDE information technology (IT) operations are decentralized over several sites 
including the MSDE headquarters. Each site’s IT operations function as a 
separate entity, with its own applications, network components, and detailed 
disaster recovery plan. MSDE’s Office of Information Technology (OIT) is 
responsible for its headquarters site’s IT operations. 

At the beginning of our audit period, the MSDE headquarters and other MSDE 
sites were each solely responsible for supporting their respective locations’ IT 
operations. However, beginning in December 2015, the MSDE, across multiple 
sites, began a conversion to use the State of Maryland Department of Information 
Technology’s (DoIT) IT support services, which ultimately would include the 
following functions: 

• Network and IT Security Services (including firewall and intrusion detection 
prevention systems operations and maintenance and malware protection) 

• IT Service Desk 

• Hardware Support 

• Software Support 

• IT Procurement Services 

As part of the conversion to DoIT IT support services, DoIT personnel assumed 
control of and began to operate and maintain the separate MSDE network, which 
connected MSDE’s remote sites with MSDE headquarters. The combined MSDE 
network provides MSDE users access to various information technology 
applications, network and email services, and Internet access. MSDE personnel 
operated several critical computer applications and related databases on servers 
for which DoIT maintained the related servers’ operating systems software. One 
such critical application included the Educator Information System (EIS), which 
maintains educator accreditation and certification information. 
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Based on our analysis of associated risks, our audit focused primarily upon 
reviewing IT security controls over the MSDE headquarters operations. 


Finding 4 

Sensitive personally identiflable information (PII) maintained by MSDE was 
stored without adequate safeguards. 


Analysis 

Sensitive PII maintained by MSDE was stored without adequate safeguards. 
Specifically, we obtained confirmation from MSDE management personnel that 
certain significant applications included databases in which PII was stored in clear 
text. Eor example, as of June 29, 2018, we determined that separate databases for 
statewide student and teacher identity information held 1,430,940 unique student 
names and Social Security numbers (SSNs) and 233,130 unique teacher names 
and SSNs, respectively; all stored in clear text. In addition, we noted that this 
sensitive PII was not adequately protected by other substantial mitigating controls 
such as the use of data loss prevention software. Eurthermore, while MSDE had 
manually inventoried its applications as of September 2017 to identify all 
sensitive PII, we determined that this effort was incomplete and had not included 
the identification of PII in all MSDE applications, including those noted above 
with PII stored in clear text. A similar condition concerning PII storage was 
commented upon in our preceding audit report. 

This sensitive PII is commonly associated with identity theft. Accordingly, 
appropriate information system security controls need to exist to ensure that this 
information is safeguarded and not improperly disclosed. The State of Maryland 
Information Security Policy states that confidential data should be protected using 
encryption and/or other substantial mitigating controls. 

Recommendation 4 

We recommend that MSDE, in conjunction with DoIT, 

a, perform a manual inventory of all of its systems, identify all sensitive PII, 
and delete all unnecessary sensitive PII; and 

b. use an approved encryption method, or other substantial mitigating 
controls to properly protect all necessary sensitive PII (repeat). 
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Finding 5 

MSDE lacked assurance that certain significant applications and sensitive 
student data managed by third-party contractors were properly secured 
against operational and security risks. 


Analysis 

MSDE lacked assurance that certain significant applications and sensitive student 
data managed by third-party contractors were properly secured against operational 
and security risks. 

Division of Special Education 

MSDE lacked assurance that three significant Division of Special Education 
applications managed by a third-party service provider were sufficiently protected 
against operational and security risks. Eor the period of June 29, 2017 to 
September 30, 2018, the Division executed four grant agreements, utilizing 
federal funds, which outsourced the operations and maintenance of the three 
applications to a local university. The university, in turn, subcontracted with an 
IT service provider to maintain and host the applications within its data center. 

The applications each contained PII including names and related SSNs from 
approximately 57,000 to 719,000 records, and none of the applications were 
included in the manual inventory to identify PII noted in binding 4. 

Our review disclosed the grant agreements with the university did not contain 
provisions related to several significant control factors. Eor example, provisions 
were not defined relating to data retention and backup or disaster recovery. 
Additionally, the agreements did not require the university or the subcontractors 
to obtain an independent review of the operating effectiveness of critical controls 
over the systems. 

As of June 2018, MSDE had not obtained a System and Organization Controls 
(SOC) report or any other similar independent security assurance report over the 
special education applications. Based on our inquiries, we determined that the 
university’s IT hosting subcontractor had a recent SOC 2 Type 2 review 
performed, with a related report issued, covering the period of Eebruary 1, 2017 to 
January 31, 2018 which MSDE obtained at our request. Although the SOC report 
did not identify any weaknesses related to the service organization’s system 
description and the suitability of the design and operating effectiveness of 
controls, the report did not address certain critical security controls necessary for 
the special education applications, which are typically included in a SOC 2 review 
for the security and availability principles. Eor example, the SOC review did not 
test controls related to encryption of sensitive data (such as PII) at rest. 
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Student Assessments Data 

MSDE laeked assuranee that sensitive student data and eonfidential testing 
material maintained by third-party sehool assessment eontractors were properly 
seeured against operational and seeurity risks. MSDE eontracted with five 
eompanies to develop, administer, and seore sehool assessments and to report the 
related results. These contraetors retained sensitive student data ineluding names, 
dates of birth, gender, and speeial needs status, as well as assessment results and 
eonfidential test questions and answers. Our review of four eontraets, eolleetively 
valued at approximately $75 million, with three of the five eontraetors, diselosed 
that independent seeurity review reports were not obtained during the audit 
period. 

Speoifieally, MSDE did not require nor obtain a SOC 2 Type 2 or any other 
independent security review report for three contracts with two contractors. 
Although, effective April 1, 2017, the fourth contract required the contractor to 
obtain an independent review, MSDE had not obtained any review results as of 
July 2018. In response to our request, MSDE attempted to obtain the results in 
May 2018, but the contractor only provided a copy of its information security 
policy. We could not readily determine how many of the 886,221 students 
enrolled during the 2017 school year had sensitive information maintained by 
each contractor. However, according to MSDE records, one of the 
aforementioned contractors’ system maintains data for approximately 166,000 
students. 

The American Institute of Certified Public Accountants has issued guidance 
concerning examinations of service organizations. Based on this guidance, 
service organizations (such as these MSDE third-party contractors) may contract 
for an independent review of controls for which the resultant independent 
auditor’s report is referred to as a System and Organization Controls report. 

While SOC reports vary in scope, considering the nature and sensitivity of the 
applications managed and information maintained by the third-party contractors, 
we believe a SOC 2 Type 2 report should be required for the contractors. 

A SOC 2 Type 2 report includes the results of the auditor’s review of controls 
placed in operation and tests of operating effectiveness for the period under 
review and could include an evaluation of system security, availability, processing 
integrity, confidentiality, and privacy. 
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Recommendation 5 
We recommend that MSDE 

a, as necessary, seek to amend its existing agreements and contracts to 
include provisions that address the aforementioned security and 
operational risks (such as independent security reviews); 
h, ensure that future third-party agreements and contracts related to the 
maintenance of sensitive information require independent security 
reviews; and 

c, obtain and review the results of these security reviews to ensure all 
relevant and critical security controls were addressed and that any 
deficiencies identified in the reviews are corrected, and document and 
retain these reviews for future reference. 


Finding 6 

MSDE did not have a complete information technology disaster recovery 
plan (DRP) for recovering computer operations. 


Analysis 

MSDE’s information technology DRP for recovering computer operations from 
disaster scenarios (for example a fire) was not comprehensive. The State of 
Maryland Information Technology Disaster Recovery Guidelines establish the 
minimum required elements needed for a DRP. MSDE’s DRP did not address 
certain of these minimum requirements. Eor example, the DRP did not contain 
adequate details on the priorities of applications for restoration and 
comprehensive and up-to-date listings of required hardware and software. In 
addition, copies of the DRP had not been distributed to DRP team members for 
ready availability. Einally, as of May 2018, the DRP had not had significant 
testing performed during the two prior years. Without a complete and tested 
DRP, a disaster could cause significant delays (for an undetermined period of 
time) in restoring information systems operations above and beyond the expected 
delays that would exist in a planned recovery scenario. Our three prior audit 
reports have commented upon weaknesses in MSDE’s existing information 
technology disaster recovery plans. 

Recommendation 6 

We recommend that MSDE, in conjunction with DoIT 
a. develop and implement a comprehensive DRP that is in accordance with 
the aforementioned Information Technology Disaster Recovery Guidelines 
(repeat); and 

h. periodically test various DRP elements, document the testing, and retain 
the documentation for future reference. 
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Finding 7 

Malware protection was not sufficient to provide MSDE with adequate 
assurance that its computers were properly protected. 


Analysis 

Malware protection was not sufficient to provide MSDE with adequate assurance 
that its computers were properly protected. The MSDE headquarters operations 
involved approximately 1,000 active computers. Eising two separate management 
consoles, DoIT controlled software products that were subject to periodic 
software updates in order to reduce the potential for significant security-related 
vulnerabilities. 

• We identified 15 servers running an outdated operating system software 
version that was no longer supported by the operating system developer. 
Developer support for this operating system ended during 2015 and since then 
updates have not been provided for this software to address newly discovered 
software vulnerabilities. 

• Additional computers had not been updated with the latest releases for 
software products that are known to have significant security-related 
vulnerabilities. Although the vendors for these products frequently provide 
software patches to address these vulnerabilities, MSDE computers had not 
been updated for these patches. Eor example, as of July 3, 2018, we 
determined that 249 of 483 computers running one potentially vulnerable 
application had not been updated for the latest application software update, 
but instead were using software versions whose last updates ranged from 
November 2010 to Eebruary 2018, with 3 additional computers whose 
software version was last updated in 2008. 

The State of Maryland/nybrmahon Security Policy, states that agencies, at a 
minimum, must protect against malicious code (viruses, worms, Trojan horses) by 
implementing protections (anti-virus, anti-malware) that, to the extent possible, 
include a capability for automatic updates. 

Recommendation 7 

We recommend that MSDE, in conjunction with DoIT, ensure that 
a, all servers operate with current vendor supported versions of operating 
system software installed, and 

h, all active computers are kept up-to-date for critical security updates to 
potentially vulnerahle installed software. 
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Cash Receipts 


Finding 8 

Certain MSDE units did not record and restrictively endorse check 
collections immediately upon receipt as required. 


Analysis 

Collections received in certain MSDE units were not adequately controlled upon 
receipt. Collections received at the various MSDE units were forwarded to 
MSDE’s Division of Business Services for deposit and processing. Our review of 
the cash receipts processes at 12 MSDE units disclosed that checks received 
through the mail at 2 units were not recorded and restrictively endorsed 
immediately upon receipt. Rather, these checks were handled by at least two 
employees prior to being recorded and endorsed. Mail receipts of these 2 units 
totaled approximately $8.7 million during fiscal year 2018. 

The Comptroller of Maryland’s Accounting Procedures Manual requires 
immediate recordation and restrictive endorsement of check collections. 

According to MSDE records, the Division of Business Services processed 
collections received directly by mail and forwarded from other MSDE units 
totaling approximately $13.8 million in fiscal year 2018. 

Recommendation 8 

We recommend that MSDE ensure that all units record and restrictively 
endorse checks immediately upon receipt as required hy the Comptroller’s 
Accounting Procedures Manual. 


19 





Audit Scope, Objectives, and Methodology 


We have eonducted a fiscal compliance audit of the Maryland State Department 
of Education (MSDE) for the period beginning July 1, 2014 and ending December 
31, 2017. The audit was conducted in accordance with generally accepted 
government auditing standards. Those standards require that we plan and perform 
the audit to obtain sufficient, appropriate evidence to provide a reasonable basis 
for our findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. 

As prescribed by the State Government Article, Section 2-1221 of the Annotated 
Code of Maryland, the objectives of this audit were to examine MSDE’s financial 
transactions, records and internal control, and to evaluate its compliance with 
applicable State laws, rules, and regulations. 

In planning and conducting our audit, we focused on the major financial-related 
areas of operations based on assessments of significance and risk. The areas 
addressed by the audit included federal funds, grants, procurements and 
disbursements, budgetary closeout transactions, cash receipts, payroll, and 
information systems security and control. In addition, we reviewed MSDE’s 
responsibilities related to its role on the Interagency Rates Committee, including 
the rate-setting process for residential child care. Our audit also included certain 
support services (including payroll processing, purchasing, maintenance of 
accounting records, and related fiscal functions) provided by MSDE to the 
Maryland Longitudinal Data System Center, the Division of Early Childhood, and 
the Maryland State Library Agency (effective July 1, 2017), all of which are 
audited separately. We also determined the status of 9 of 11 findings contained in 
our preceding audit report. We determined the status of the remaining 2 findings 
during our audit of the MSDE Division of Early Childhood. 

Our audit did not include an evaluation of internal controls over compliance with 
federal laws and regulations for federal financial assistance programs and an 
assessment of MSDE’s compliance with those laws and regulations because the 
State of Maryland engages an independent accounting firm to annually audit such 
programs administered by State agencies, including MSDE. 

To accomplish our audit objectives, our audit procedures included inquiries of 
appropriate personnel, inspections of documents and records, observations of 
MSDE’s operations, and tests of transactions. Generally, transactions were 
selected for testing based on auditor judgment, which primarily considers risk. 
Unless otherwise specifically indicated, neither statistical nor non-statistical audit 
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sampling was used to select the transactions tested. Therefore, the results of the 
tests cannot be used to project those results to the entire population from which 
the test items were selected. 

We also performed various data extracts of pertinent information from the State’s 
Financial Management Information System (such as revenue and expenditure 
data) and the State’s Central Payroll Bureau (payroll data), as well as from the 
contractor administering the State’s Corporate Purchasing Card Program (credit 
card activity). The extracts are performed as part of ongoing internal processes 
established by the Office of Legislative Audits and were subject to various tests to 
determine data reliability. We determined that the data extracted from these 
various sources were sufficiently reliable for the purposes the data were used 
during this audit. We also extracted data from the Division of Rehabilitation 
Services’ financial records for the purpose of testing certain areas such as 
payments made for consumers under individual plans for employment. We 
performed various tests of the relevant data and determined that the data were 
sufficiently reliable for the purposes the data were used during the audit. Finally, 
we performed other auditing procedures that we considered necessary to achieve 
our objectives. The reliability of data used in this report for background or 
informational purposes was not assessed. 

MSDE’s management is responsible for establishing and maintaining effective 
internal control. Internal control is a process designed to provide reasonable 
assurance that objectives pertaining to the reliability of financial records; 
effectiveness and efficiency of operations, including safeguarding of assets; and 
compliance with applicable laws, rules, and regulations are achieved. 

Because of inherent limitations in internal control, errors or fraud may 
nevertheless occur and not be detected. Also, projections of any evaluation of 
internal control to future periods are subject to the risk that conditions may 
change or compliance with policies and procedures may deteriorate. 

Our reports are designed to assist the Maryland General Assembly in exercising 
its legislative oversight function and to provide constructive recommendations for 
improving State operations. As a result, our reports generally do not address 
activities we reviewed that are functioning properly. 

This report includes findings relating to conditions that we consider to be 
significant deficiencies in the design or operation of internal control that could 
adversely affect MSDE’s ability to maintain reliable financial records, operate 
effectively and efficiently, and/or comply with applicable laws, rules, and 
regulations. Our report also includes findings regarding significant instances of 
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noncompliance with applicable laws, rules, or regulations. Other less signifieant 
findings were eommunieated to MSDE that did not warrant inelusion in this 
report. 

The response from MSDE to our findings and reeommendations is ineluded as an 
appendix to this report. As preseribed in the State Government Artiele, Section 2- 
1224 of the Annotated Code of Maryland, we will advise MSDE regarding the 
results of our review of its response. 
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APPENDIX 



Karen B. Salmon, Ph.D. 

state Superintendent of Schools 


June 20, 2019 


Mr. Gregory A. Hook, CPA 
Legislative Auditor 
Office of Legislative Audits 
301 West Preston Street 
Baltimore, Maryland 21201 

Dear Mr. Hook: 

Enclosed is the Maryland State Department of Education (MSDE) responses to the draft audit 
report for the period beginning July 1, 2014, and ending December 31, 2017. We greatly 
appreciate the efforts of your audit staff in providing us with recommendations for improvements 
and developing a cooperative relationship with our agency personnel. 

Please be assured that MSDE is giving significant attention to the issues identified in this audit. 
Should you have any additional questions or need additional clarification, please contact Ms. 
Channel Sumpter, Director of Audit at 410-767-0104. Again, thank you for your assistance. 


Best Regards, 



Karen B. Salmon, Ph.D. 

State Superintendent of Schools 


KBS/cds 

Enclosures 

c: Sylvia Lawson, Ph.D. 
Gayle Secrist 
Amalie Brandenburg 
Channel Sumpter 
Richard McElroy 


200 West Baltimore Street • Baltimore, MD 21201 • 410-767-0100 • 410-333-6442 TTY/TDD 

MarylandPublicSchools.org 




Maryland State Department of Education 


Agency Response Form 
Division of Rehabilitation Services 


Finding 1 

MSDE’s DORS did not always make initial consumer contacts and complete individual 
plans for employment (IPEs) timely. In addition, we determined that, as of January 2018, 
DORS paid $10,9 million more for consumer services than budgeted in the approved IPEs 
for 2,600 consumers. 


We recommend that MSDE 

a, ensure consumer contacts and IPEs are made timely, eligihility determinations are 
independently approved, and IPEs are appropriately documented in accordance with 
DORS policies; and 

h, establish controls to ensure that payments do not exceed approved consumer IPEs and 
that any modifications are documented and approved as required. 


Agency Response 

Analysis 


Please provide 
additional comments as 
deemed necessary. 

With regard to OLA’s comment about the potential impact of 
discrepancies between estimated cost vs actual cost of the Individual 

Plan for Employment (IPE) and the MSDE Division of Rehabilitation 
Services (DORS) wait list, MSDE is providing some additional 
clarification. MSDE DORS wait list is caused by two factors. The first 
factor is the reduction of staff over the years and the second is the 
implementation of Pre-Employment Transitioning Services (Pre-ETS) as 
required by the Workforce Innovation and Opportunities Act of 2014 
(WIOA). WIOA requires that DORS reserve 15% of its federal funds to 
provide specific services to students with disabilities while they are in 
school. This 15% reserve translates to about 20% to 23% of DORS Case 
Service budget that is no longer available to provide services to 
individuals on the wait list. In addition, the 15% reserve also impacts 
DORS resources since it requires DORS to move a number of 

Vocational Rehabilitation Counselors to handle just the Pre-ETS case 
load when these counselors were traditionally assigned to work with 
adults seeking employment. 

Recommendation la 

Agree 

Estimated Completion Date: 

October 20191 

Please provide details of 
corrective action or 
explain disagreement. 

MSDE’s DORS Quality Assurance Review Team is currently 
emphasizing during its meetings with district staff at the conclusion of 
quality assurance case reviews, the need to have documentation in the 
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Maryland State Department of Education 


Agency Response Form 



case record to validate the referral date entered and to schedule 
appointments to take place within 30 days of that referral date. 

Additionally, DORS has already begun work to streamline the on-line 
referral process that will enter the referrals directly into the DORS Case 
Management System. DORS is also investigating having the initial 
contact letter generated automatically upon the referral information 
being entered into the system. The estimated completion date of the 
implementation of the new on-line referral process is October 1, 2019. 

Finally, DORS executive staff has implemented a new analytical tool to 
provide a more robust reporting to ensure effective monitoring of the 60- 
day Eligibility Determinations and the timeliness of the 90-day IPE 
Development. DORS executive staff reviews these reports on a bi¬ 
weekly basis to identify issues with a particular office or individual 
counselor. 

Recommendation lb 

Agree Estimated Completion Date: September 

2019 

Please provide details of 
corrective action or 
explain disagreement. 

DORS will be creating an Estimated vs Actual Cost Report that will help 
monitor when the actual cost reaches 90% or $500, whichever is greater, 
of the plan's approved estimated cost. DORS executive staff will be 
monitoring the report on a bi-weekly basis to determine if adjustments to 
the estimated cost on an individual’s IPE is necessary. In addition, 

DORS Policy for IPE Development will be updated to reflect this 
change. 
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Maryland State Department of Education 


Agency Response Form 


Federal Funds 


Finding 2 

Federal fund reimbursement requests for the Nutrition Block Grant were not always 
complete and timely, resulting in lost investment income totaling approximately $300,000, 


We recommend that MSDE 

a, enhance its supervisory review process for federal fund reimbursement requests to 
ensure all allowable expenditures are included and requests are submitted timely, in 
accordance with the applicable grant agreements; and 

b, take appropriate action to recover the aforementioned $152,000 in expenditures that 
have not yet been recovered. 


Agency Response 

Analysis 


Please provide 
additional comments as 
deemed necessary. 


Recommendation 2a 

Agree 

Estimated Completion Date: May 6, 2019 | 

Please provide details of 
corrective action or 
explain disagreement. 

Effeetive May 6, 2019, The Offiee of Sehool and Community Nutrition 
Programs (OSCNP) has updated its polieies and proeedures related to 
the monthly draw down requests of federal funds and it’s proeedures 
regarding the reporting of federal authorized amounts from grant awards 
to the Aeeounting Offiee. The updated proeedures speeifieally address 
the daily and monthly monitoring of grant aetivities to ensure the timely 
draw down of federal funds for grant payments. In May 2019, 
Department wide training was eondueted on Fiseal Integrity of Federal 
Grants. The Finaneial Administrator provides the FMIS Foeus report to 
the Finaneial Management Speeialist to review posted expenditures and 
to prepare the drawdown request. The Financial Management Specialist 
uses the FMIS Focus report and the Automated Standard Application for 
Payments system report to complete the Fetter of Credit. The Financial 
Supervisor will review, approve, and sign the monthly draw requests 
before forwarding to the Accounting Office for processing. 

Recommendation 2b 

Agree 

Estimated Completion Date: June 28, 2019| 

Please provide details of 
corrective action or 
explain disagreement. 

The OSCNP will contact to the United States Department of Agriculture 
(USDA) to submit an updated Food and Nutrition Service 111 (FNS- 
777) Report for the Child Nutrition Block Grant. Upon USDA approval, 
the OSCNP will submit the revised FNS-777 to request additional 
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funding on the Nutrition Block Grant. Once the approval is received 
from USD A, the draw request will be submitted to recover the funding 
of $152,000 as noted in the finding. The draw is expected to be 
recovered in the June 2019 draw down request. 
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State Funded Grants 


Finding 3 

MSDE did not verify the accuracy of grantee expenditure data and performance reports, 
and did not conduct comprehensive site visits of grantees. 


We recommend that MSDE establish comprehensive grant policies and procedures that 
include uniform minimum requirements to 

a, verify the accuracy of the grantee’s self-reported expenditure and performance data, 
and 

h. ensure site visits are documented and comprehensive. 


Agency Response 

Analysis 


Please provide 
additional comments as 
deemed necessary. 


Recommendation 3a 

Agree Estimated Completion Date: 

August 2019 1 

Please provide details of 
corrective action or 
explain disagreement. 

MSDE will establish procedures to verify the accuracy of the grantees’ 
self-reported expenditure and/or performance data for the three grants 
tested. In March 2019, MSDE Divisions began implementing 
procedures for verifying expenditure and certain performance data 
reported for the three grantees. The verification process will include but 
not limited to, reviewing a sample of school reservation, a review of 
some administrative or program components of the grant, and the 
implementation of a programmatic monitoring schedule to verify the 
accuracy of each grantees data. 

Program Directors and Contract Managers, on a sample basis, will 
obtain supporting documentation from the grantee (i.e., school 
reservations, review of program components, local management boards 
monitoring reports) to verify the accuracy of expenditure and/or 
performance data submitted in the grantees periodic reports. This 
verification will be performed on an annual basis during the grantees’ 
site visits or as part of a grantees’ contract and programmatic monitoring 
activities. 

In addition to the invoice review procedures currently performed, MSDE 
DEI/SES will conduct comprehensive site visits beginning July 2019. 

The comprehensive site visit will also include a review to verify the 
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accuracy of the grantee’s expenditures. DEI/SES staff will seleet a 
sample of expenditures from the budget objects and review the grantee's 
supporting doeumentation during the site visit. All reviews and 
verifieations performed will be documented by MSDE Divisions and 
doeumentation will be retained for audit purposes. 

Recommendation 3b Agree _ Estimated Completion Date: August 2019 

Please provide details of MSDE will ensure that site visits condueted are doeumented, 
corrective action or comprehensive and timely. MSDE’s Division of Student Support, 
explain disagreement. Academic Enrichment, and Educational Policy (DOSSAEEP) will have 

an annual site visit eompleted for all 42 grantees by the end of fiscal year 
2019 with the exception of programs funded for summer activities. All 
completed site visits are doeumented and eaeh grantee reeeives a eopy of 
the site visit report. MSDE DOSSAEEP will annually review one of the 
administrative or program eomponents listed in grantees’ operating 
contract. The administrative or program component review as well as 
any follow up actions will be doeumented and retained for audit 
verifieation purposes. MSDE, DEI/SES will review the fiscal 
monitoring reports performed by the Governor’s Offiee for Children 
(GOC) to ensure that site visits are doeumented and eomprehensive. 

The GOC fiseal monitoring reports will be copied and plaeed in the 
corresponding grant folder filed at MSDE, Eor programmatic oversight, 
the MSDE, DEI/SES will conduet comprehensive site visits and retain 
doeumentation of eaeh site visit in the corresponding grant folder. 
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Information Systems Security and Control 


Finding 4 

Sensitive personally identifiable information (PII) maintained by MSDE was stored 
without adequate safeguards. 


We recommend that MSDE, in conjunction with DoIT, 

a, perform a manual inventory of all of its systems, identify all sensitive PII, and delete all 
unnecessary sensitive PII; and 

b. use an approved encryption method, or other substantial mitigating controls to 
properly protect all necessary sensitive PII (repeat). 


Agency Response 

Analysis 


Please provide 
additional comments as 
deemed necessary. 


Recommendation 4a 

Agree 

Estimated Completion Date: 

September 
30, 2019 

Please provide details of 
corrective action or 
explain disagreement. 

MSDE’s Information Teehnology Division, in eonjunction with DoIT, 
will work with the appropriate divisions to manually survey the agency’s 
automated applications and to identify all MSDE applications containing 
sensitive PII. Once the final list of all MSDE applications containing PII 
has been defined, MSDE’s Information Technology Division will work 
with each division to identify what PII needs to be retained. Any 
sensitive PII that does not need to be retained, will be deleted from the 
systems. 

Recommendation 4b 

Agree 

Estimated Completion Date: 

September 
30, 2019 

Please provide details of 
corrective action or 
explain disagreement. 

MSDE’s Information Technology Division, in conjunction with DoIT, 
will implement an approved encryption method or implement substantial 
mitigating controls on systems that contain PII. 
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Finding 5 

MSDE lacked assurance that certain significant applications and sensitive student data 
managed by third-party contractors were properly secured against operational and 
security risks. 


We recommend that MSDE 

a, as necessary, seek to amend its existing agreements and contracts to include provisions 
that address the aforementioned security and operational risks (such as independent 
security reviews); 

b, ensure that future third-party agreements and contracts related to the maintenance of 
sensitive information require independent security reviews; and 

c, obtain and review the results of these security reviews to ensure all relevant and critical 
security controls were addressed and that any deficiencies identified in the reviews are 
corrected, and document and retain these reviews for future reference. 


Agency Response 

Analysis 


Please provide 
additional comments as 
deemed necessary. 

MSDE DEI SES agrees that alone the grant agreement with the loeal 
university lacked provisions regarding cited security and operational 
risks. However, it should be noted, that the grant agreement addresses 
project management not data security responsibilities. Aside from the 
grant agreement, MSDE and the university have a Memorandum of 
Understanding (MOU) regarding the three referenced applications which 
does address various data security issues. Specifically, it outlines the 
responsibilities of the university as it relates to maintenance of 
confidential education records and the personally identifiable 
information (PII) contained therein. The Security Requirements of the 
MOU states that the university shall maintain data on secure servers that 
are assessed for security risks annually by an independent entity. 

Recommendation 5a 

Agree Estimated Completion Date: September 

30, 2019 

Please provide details of 
corrective action or 
explain disagreement. 

MSDE will amend the existing MOU with the university and one of the 
assessments contracts to include the significant security control 
provisions such as an independent security review as noted in the 
analysis section of the finding. MSDE will incorporate by reference the 
revised MOU in all SEY 2020 grant agreements by June 30, 2019. 

Upon renewal of the remaining two assessment contracts, MSDE will 
ensure that the contracts include provisions that address security and 
operational risks and require an independent security review. 
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Recommendation 5b 

Agree 

Estimated Completion Date: 

Ongoing | 

Please provide details of 
corrective action or 
explain disagreement. 

In the future, MSDE will ensure that third party agreements and 
contraets related to the maintenanee of sensitive information require 
independent seeurity reviews. 

Recommendation 5c 

Agree 

Estimated Completion Date: 

September 
30, 2019 

Please provide details of 
corrective action or 
explain disagreement. 

MSDE DEI SES has obtained and reviewed the SOC 2 Type 2 report 
that was performed of the university’s subeontraetor for the period 
Eebruary 1, 2018 through January 31, 2019. There were no findings 
identified in the report. 


In the future, MSDE will ensure that independent seeurity reviews are 
obtained as required by the agreement or contraet. Upon reeeipt of the 
independent seeurity review report, MSDE division personnel will 
obtain and review the report to determine if the related review 
adequately address seeurity eoneems regarding its system applieations. 
MSDE division personnel will also review the independent seeurity 
reports to identify any exeeptions for the tests performed, follow up on 
any noted exeeptions and ensure that the eontraetor implements the 
related eorreetive aetion. Einally, MSDE division personnel will ereate 
and retain doeumentation regarding their review activities for future 
reference. 
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Finding 6 

MSDE did not have a complete information technology disaster recovery plan (DRP) for 
recovering computer operations. 


We recommend that MSDE, in conjunction with DoIT 

a, develop and implement a comprehensive DRP that is in accordance with the 

aforementioned/n/ormfltmn Technology Disaster Recovery Guidelines (repeat); and 
h, periodically test various DRP elements, document the testing, and retain the 
documentation for future reference. 


Agency Response 

Analysis 


Please provide 
additional comments as 
deemed necessary. 


Recommendation 6a 

Agree 

Estimated Completion Date: 

September 
30, 2019 

Please provide details of 
corrective action or 
explain disagreement. 

MSDE’s Information Teehnology Division, in eonjunetion with DoIT, 
will eomplete the development of an updated MSDE Headquarters 
Disaster Reeovery Plan (DRP) in eomplianee with the State of Maryland 
Information Technology Disaster Recovery Guidelines. In this regard, 
the updated MSDE Headquarters DRP will inelude eurrent and complete 
information regarding: required hardware and software, application 
inventories and contact information as required by the State of Maryland 
Information Technology Disaster Recovery Guidelines. 

Recommendation 6h 

Agree 

Estimated Completion Date: 

September 
30, 2019 

Please provide details of 
corrective action or 
explain disagreement. 

MSDE’s Information Technology Division, in conjunction with DoIT, 
will periodically test various DRP elements, document the relevant 
testing, and retain the documentation for audit verification purposes. 
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Finding 7 

Malware protection was not sufficient to provide MSDE with adequate assurance that its 
computers were properly protected. 


We recommend that MSDE, in conjunction with DoIT, ensure that 

a. all servers operate with current vendor supported versions of operating system 
software installed, and 

b, all active computers are kept up-to-date for critical security updates to potentially 
vulnerable installed software. 


Agency Response 

Analysis 


Please provide 
additional comments as 
deemed necessary. 


Recommendation 7a 

Agree 

Estimated Completion Date: 

December 31, 
2019 

Please provide details of 
corrective action or 
explain disagreement. 

MSDE’s Information Technology Division, in conjunction with DoIT, 
will ensure that all servers operate with the current vendor supported 
versions of operating system software installed. MSDE and DoIT’s 
Cloud Services Team investigated the 15 servers identified by OEA as 
running outdated operating system software. As a result of reviewing 
the 15 servers noted in the finding, MSDE’s Information Technology 
Division determined that seven of the 15 servers were decommissioned 
and the remaining 8 are scheduled for migration or replacement during 
calendar year 2019. 

Recommendation 7b 

Agree Estimated Completion Date: 

Bi-Annually | 

Please provide details of 
corrective action or 
explain disagreement. 

MSDE’s Information Technology Division, in conjunction with DoIT, 
will ensure that all active computers are kept up-to-date for critical 
security updates to potentially vulnerable installed software. DoIT’s End 
User Services Team is currently in the process of investigating, 
documenting, and removing unnecessary or outdated third party software 
installations. DoIT’s End User Services Team will perform reviews 
every six months of software and perform software patching on 
approved third party software. DoIT’s Security Team will ensure that 
unnecessary software is removed. 
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Cash Receipts 


Finding 8 

Certain MSDE units did not record and restrictively endorse check collections immediately 
upon receipt as required. 


We recommend that MSDE ensure that all units record and restrictively endorse checks 
immediately upon receipt as required hy the Comptroller’s Accounting Procedures Manual. 


Agency Response 

Analysis 


Please provide 
additional comments as 
deemed necessary. 


Recommendation 8 

Agree 

Estimated Completion Date: 

May 9, 2019 | 

Please provide details of 
corrective action or 
explain disagreement. 

MSDE agrees with the reeommendation. MSDE updated its eash 
proeedures to elarify that all eheeks reeeived should be restrietively 
endorsed immediately by the reeipient before forwarding to the 
Aeeounting Offiee. All eheeks reeeived in the Aeeounting Offiee are 
restrietively endorsed upon reeeipt. The Aeeounting Offiee has ordered 
and distributed the restrietive endorsement stamps to MSDE divisions. 

On May 9, 2019, MSDE’s Division of Business Serviees issued a memo 
to all MSDE staff detailing the proeedures for the immediate restrietive 
endorsement of payments reeeived. In order to improve internal eontrols 
for non-eash payments that are reeeived by MSDE, eaeh division head 
was issued an endorsement stamp labeled “for deposit only”. When a 
payment is reeeived, the baek of the eheek must be restrietively endorsed 
immediately with the stamp. 

The MSDE Division of Business Serviees will also issue an annual 
memo to all MSDE staff reminding them of the poliey. In addition, the 
two divisions noted in the analysis have reeeived stamps to ensure that 
any eheeks reeeived are immediately endorsed and subsequently 
forwarded to the Aeeounting Offiee. 
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